Information Security Risk Management

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 49 minutes
Difficulty
Beginner
CEU/CPE
10
Video Transcription
00:01
>> We are now upon the section
00:01
of information security risk management.
00:01
In this next section,
00:01
we're just going to lay
00:01
the groundwork for what we're going to do.
00:01
I'm just going to talk about
00:01
information security, risk management in broad terms,
00:01
and then we're going to cover some definitions.
00:01
One of the things I find is
00:01
people use these risk terms sometimes
00:01
interchangeably when that's not necessarily appropriate.
00:01
Information security risk management.
00:01
Many times in organizations you'll hear that ISRM.
00:01
You can also hear ERM,
00:01
enterprise risk management with
00:01
the idea that it's really essential
00:01
to incorporate our risk management strategy
00:01
throughout the company as a whole,
00:01
that it shouldn't just be one department
00:01
or another but as an organization,
00:01
we cultivate an understanding and a proactive stance on
00:01
managing risks but then also being able
00:01
to respond to risks as they occur as well.
00:01
Let's get these definitions out of the way,
00:01
make sure we're all on the same page.
00:01
If we start out with risk management,
00:01
always begin with your assets.
00:01
Our assets are those things that I value.
00:01
What do we value as an organization?
00:01
As an organization, I value data, I value hardware,
00:01
I value furniture, I
00:01
value all tangibles but also my intangibles.
00:01
Company reputation is huge,
00:01
that's a tremendous asset.
00:01
As matter of fact, that's usually
00:01
the most valuable asset a company has.
00:01
We value our brand,
00:01
we value goodwill in the community.
00:01
We have all these intangible assets but we always start
00:01
by identifying them and then trying to get the value,
00:01
understanding the value of
00:01
those assets to our organization.
00:01
Once I know what my assets are,
00:01
I then look at threats and vulnerabilities.
00:01
The vulnerabilities are those areas of weaknesses.
00:01
A lot of times areas where my asset is not protected,
00:01
the absence of a safeguard can be
00:01
considered a vulnerability, that's the weakness.
00:01
Then the threat is what's going
00:01
to pose harm to the asset.
00:01
A threat exploits a vulnerability to damage the asset
00:01
and the threat agent
00:01
is usually what carries out that attack.
00:01
It could be the attacker themselves,
00:01
it could be specific pieces of
00:01
malware or tools that are used,
00:01
we consider those threat agents.
00:01
Like I said, the exploit is when this happens,
00:01
when the compromise of a vulnerability
00:01
by a threat to damage the asset.
00:01
Now, the risk is
00:01
the probability of that threat materializing.
00:01
We often talk about that in terms
00:01
of total risk or inherent risk.
00:01
Meaning, if I don't do anything,
00:01
what is the probability of that threat materializing?
00:01
Then usually we don't just talk about probability,
00:01
but I'll also mention just briefly here,
00:01
we think about impact as well;
00:01
probability and impact of
00:01
a threat exploiting a vulnerability.
00:01
Now, the way we mitigate
00:01
those risks is through the implementation of controls.
00:01
We mentioned in an earlier section about
00:01
our controls being physical, administrative,
00:01
and technical protections that
00:01
mitigate the risk or the potential for loss.
00:01
We can differentiate between the types of
00:01
controls based on whether they're proactive or reactive.
00:01
The category of controls that are proactive,
00:01
we would call safeguards.
00:01
For our safeguards, we have
00:01
deterrent or preventive means.
00:01
Now for reactive controls,
00:01
we have our countermeasures,
00:01
things that help us detect or correct or recover loss.
00:01
Residual risk.
00:01
When I have total risk and I decide, wait a minute,
00:01
this total risk is way too high,
00:01
I can't accept this amount of total risk,
00:01
then we implement controls.
00:01
Control is usually lessen the risk.
00:01
Well, how far do we need to reduce
00:01
our risks before we can be done?
00:01
Well, we reduce our risks to
00:01
a degree that's acceptable to senior management.
00:01
Rarely do we eliminate risks.
00:01
Risk elimination it's virtually impossible.
00:01
There might be certain risks we avoid,
00:01
but to eliminate risks can't be done.
00:01
We reduce risks to
00:01
the degree that's acceptable to senior management,
00:01
and what's left over is referred to as residual risk.
00:01
I have a certain amount of risk,
00:01
I apply control and that brings the risk amount down.
00:01
If that's acceptable, good,
00:01
if it's not acceptable,
00:01
we apply another control and
00:01
we look at the residual risk.
00:01
You can really say
00:01
the ultimate purpose of risk management is
00:01
to reduce residual risk to
00:01
a degree that's acceptable by senior management.
00:01
That's really what we're trying to do.
00:01
Now, another issue with risk is sometimes
00:01
one risk response causes another risk event.
00:01
For instance, if there's
00:01
a security vulnerability and I
00:01
apply a patch to mitigate that risk,
00:01
that patch may cause
00:01
another piece of software on my system not to work,
00:01
that would be a secondary risk.
00:01
When we're doing risk management,
00:01
we always have to follow
00:01
our risk responses through and make
00:01
sure that we're considering what
00:01
we refer to as a control risk.
00:01
You implement a control,
00:01
there are risks associated with the control,
00:01
you implement a firewall and
00:01
there's the risk that it may block legitimate traffic.
00:01
We have to consider those ideas of secondary risk.
00:01
Now, another thing to mention about risks.
00:01
Risks are always unknown,
00:01
they're in the future.
00:01
We don't know if it's going to happen or not,
00:01
we're really just doing our best planning.
00:01
Once the risk event materializes,
00:01
then we refer to it as an incident.
00:01
An incident is a risk that has happened,
00:01
that's transpired, but as long as in the future,
00:01
it's still a risk.
00:01
This section we just laid the groundwork for what
00:01
we're going to do with the rest of the section on risk,
00:01
we have talked about just management of risks as whole,
00:01
and most important pieces,
00:01
we've laid out some of these definitions.
00:01
Make sure that you're solid on
00:01
the definitions because sometimes people
00:01
will use terms like vulnerability and threat
00:01
interchangeably and that's just not correct.
00:01
We've covered the definitions,
00:01
and now we're ready to move into
00:01
the next section where we'll look
00:01
at the risk management life cycle.
Up Next